Insights Blog

How to Confirm Apple Live Photos

Apple introduced Live Photos with iPhone 6s and iOS9. Live Photos essentially are a still image combined with a short (3 second) video with sound. Selecting or pressing your finger on a Live Photo makes it come to life, with full audio support. They can be viewed on iOS devices and Mac computers within the Photos application.

Analysis

When analyzing iOS devices or Mac computers, examiners may find a series of pictures and videos with the same IMG_### name.

BlackLight view of Live Photo. Note: .JPG and .MOV file have the same file name.

This would not normally be expected, as iOS devices save pictures and videos in sequence.
Live Photos are generally made up of a .jpg image combined with a .mov video file. When using an iPhone 7 and above, and the user has set their device to take high-efficiency HEIC/HEVC pictures and videos (Settings➔Camera➔Formats); Live Photos will be saved with an .HEIC picture but still retain a .mov file for the video portion.

BlackLight view of Live Photos showing .MOV and .HEIC files.

Even though this is good empirical evidence these files are part of a Live Photo set, it
indeed is not definitive. Analysis of Live Photos has found that each member of a Live Photo set contains a content identifier which is a UUID. This UUID can be used to identify each part of a Live Photo.

BlackLight showing Content Identifier UUID in both image and video files.

Looking at the UUID, we see that it contains five sets of letters and numbers separated by
dashes. The first set contains eight letters and numbers, the next three include four letters
and numbers each, and the last set consists of twelve letters and numbers.
This pattern exists for all Live Photos seen on iOS and macOS devices. We can leverage this pattern to search for Live Photos.

Searching for Live Photos

BlackLight has a powerful search function, where examiners can take advantage of several
options to narrow down the data they must search.
Searching for data patterns is one of the advanced features of BlackLight’s search
functionality. To do this, we can create a RegEx (regular expression) keyword within BlackLight to find our UUID pattern within a specific set of files.
We will use this RegEx pattern (\w{8}(-\w{4}){3}-\w{12}?).
This pattern searches the evidence item for:

  1. Eight alphanumeric characters then add a dash
  2. Three sets of four alphanumeric characters separated by dashes
  3. Twelve alphanumeric characters

Steps to Prepare the Search

1. Select the search view within BlackLight
2. Select the evidence item you wish to search
3. Optionally, select a path where you would expect to find Live Photos. In this example we are looking at /mobile/Media/DCIM/ where pictures and videos are normally stored when captured on the device.
4. Enter the RegEx expression (\w{8}(-\w{4}){3}-\w{12}?).
5. Ensure you select “Selected Keyword is RegEx Pattern”
6. Select “Start Search”

BlackLight showing search for Live Photos. Note that the keyword is selected and checked under “Regular Expression Keyword”.

Results

BlackLight search results showing Live Photos images (HEIC) and videos (MOV).

The files shown above represent files that are part of Live Photo containers. As discussed earlier, both the image file (HEIC in this case) and video file (MOV) in this case have the same IMG_ number.

Taking IMG_0569 as an example, there is both a HEIC (high efficiency picture) and MOV file with that name. Selecting each file in BlackLight will highlight data that matches the RegEx keyword we entered. As can be seen, IMG_0569.HEIC and IMG_0569.MOV both contain matching UUIDs. These files therefore can be confirmed as elements of a Live Photo. The matching UUID’s confirm their relationship as depicting the same image.

BlackLight viewing showing IMG_0569.HEIC with content identifier UUID 468AF519-85AA-4803-981D-3317016A1C53

 

BlackLight viewing showing IMG_0569.MOV with content identifier UUID 468AF519-85AA-4803-981D-3317016A1C53

To find out more about advanced Mac and iOS forensic techniques and analysis, check out BlackBag’s Essential Forensic Techniques: Triage and Analysis of Digital Data course and Essential Forensic Techniques: In-Depth Digital Forensic Analysis course.

If you are interested in harnessing the power of BlackLight to assist you in your investigations and analysis, check out BlackBag’s new Digital Forensics Basics course offerings or request a training on-site.

To learn more about BlackLight, get a quote or request a free trial, click here.
Have further questions? Email sales@blackbagtech.com.

BlackBag Team

With hundreds of years of combined experience in law enforcement,
forensics research and development, and corporate investigations, our team understands forensics. Digital Forensics is more challenging than ever before due to advancements in technology. The BlackBag Team exists to find solutions for these challenges, thereby empowering our customers to seek, reveal, and preserve the truth.Meet some of our experts at https://www.blackbagtech.com/company/our-team/
BlackBag Team

Latest posts by BlackBag Team (see all)